Mobile Pentest

  • View
    21

  • Download
    0

Embed Size (px)

DESCRIPTION

Mobile Pentest

Text of Mobile Pentest

  • Just Mobile Phone

    Phone calls Sending text message or MMS Alarm clock Calculator Listen music

    Edge for Surf internet !!

  • 3G, 4G and WIFI support on Mobile network

    Became more intelligent Smart Phone Sending email Surf internet Check-on for flights Online Banking transactions Social Network (Facebook, Twitter, Instagram, Etc)

  • Companies started creating mobile applications to offer services to clients Storing and synchronizing data files in the cloud Participating in social network sites As the data that stored, processed and transferred can often be

    considered sensitive.

  • Mobile App Attack Surface

  • Client Software on Mobile Device Communications Channel Server Side Infrastructure

    Server Side Infrastructure

    Comm. Channel

    Client Software

  • Mobile Phone

    Internet

    Application Server

    Client Software

    Communication Channel

    Server Side Infrastructure

  • Packages are typically downloaded from an AppStore, Google Play or provided via Company website

    Testing requires a device that is rooted or jailbroken for access to all files and folders on the local file system

    Be able to decompiled, tampered or reverse engineered

  • Attention points Files on the local file system Application authentication & authorization Error Handling & Session Management Business logic Decompiling and Analyzing

  • Channel between the client and the server (HTTPs, EDGE, 3G)

    Testing with HTTP Proxy (Burp, ZAP) to intercept and manipulate alter traffic

    If the application does not use the HTTP protocol, can use transparent TCP and UDP proxy like Mallory

  • Attention points Sniff sensitive information Replay attack vulnerabilities Secure transfer of sensitive information

  • The attack vectors for the web servers behind a mobile application is similar to those use for regular websites

    Perform host and service scans on the target system to identify running services

  • Attention points OWASP Top 10 vulnerabilities (SQLi, XSS, )

    Running services and version

    Infrastructure vulnerability scanning

  • Pentest iOS Application

  • Insecure Storage Why application needs to store data

    Ease of use for user Popularity Activity with single click Decrease transaction time 9 out of 10 applications have this vulnerability

    How attacker can gain access

    Wifi Default password after jail breaking (alpine) Physical Theft Temporary access to device Backup File

  • Insecure Storage Local Data Storage

    Plist and XML files NSuserDefaults

    Class provides a programmatic interface for interacting with default system Keep information in plist file

    SQLite data files Core Data Services

    Object Model, Relational Database SQLite Manage Table prefixed z

    Keychain

  • Enumerate sensitive information from local files

  • Wordpress iOS App (.plist) stored user & pass

  • SQL Injection in Local Database Most Mobile platforms uses SQLite as database to store

    information on the device Using any SQLite Database Browser, it is possible to access

    database logs which has queries and other sensitive database information

    In case application is not filtering input, SQL Injection on local database is possible

  • a or a=a

  • Bad Code

    NSString *uid = [myHTTPConnection getUID]; NSString *statement = [NSString StringWithFormat : @SELECT username FROM users where uid = %@, uid]; const char *sql = [statement UTF8String];

    Good Code

    Const char *sql = SELECT username FROM users where uid = ?; sqlite3_prepare_v2(db, sql, -1, &selectUid, NULL); Sqlite3_bind_int(selectUid, 1, uid); int status = sqlite3_step(selectUid);

  • Buffer Overflow

    When the input data is longer than the buffer size, if it is accepted, it will overwrite other data in memory. No protection by default in C, Objective-C and C++

  • Decrypt Application and find hardcoded secrets Applications from the AppStore is encrypted and Signed

  • Decrypt Application and find hardcoded secrets Clutch

    Used for iOS application decryption Can be run from the command line

  • Decrypt Application and find hardcoded secrets Runtime Analysis with GDB

    Use clutch View classdump-z output Set breakpoint Analyze objc_msgsend Find passcode Evade checks

    https://vimeo.com/66617415

  • Poor or no encryption during transit Traffic over HTTP Token passing Device ID over poor channel UDID Privacy concerns (Can be used to track user)

  • BurpSuite Proxy

  • Apps communicate with backend web services OWASP Top 10 auditing Most communication using XML MitM and inject bad XML UIWebviews (Used to embed web content in app)

    Execute JavaScript (XSS) Fuzz data sent/received

  • Client Software Found backend path in Localizable.strings

    Server-Side Infrastructure

    Access to port 8080 (Apache Tomcat) Logged in with default tomcat username and password Upload Malicious JSP code into webserver (Bypass Symantec) Access to configuration file that contain database credentials OWNed !! Database server

  • Localizable.strings

  • Logged in with Default Tomcat credentials

  • Upload Malicious JSP code

  • Backend Compromised

  • Database Compromised

  • Pentest Android Application

  • Local Data Storage flaws

  • Weak encoding/encryption

  • Insecure Storage Reverse Engineering

    APKtool to decode resources Convert the .apk file into .zip Extract the zipped file, Found classes.dex Dex2jar for convert .dex to .jar Using JD GUI to open JAR file and review source code

  • Insecure Storage Reverse Engineering

  • Insecure Storage Reverse Engineering

  • BurpSuite Proxy

  • Insecure Logging

  • Identity Decloaking

  • Apps communicate with backend web services OWASP Top 10 auditing Fuzz data sent/received

  • Client Software Found backend path from Reverse Engineering Found FTP username and password

    Communication Channel Found Mails credentials

    Server-Side Infrastructure Access FTP Server Access Terminal Service Logged in with FTP credential PWNed !! Backend server Compromised internal server

  • Reverse Engineering

  • Logged in with FTP credential

  • 100 porn images found !!

  • Burp Proxy

  • Access Mail

  • Backend Compromised

  • Authors: ZeQ3uL and diF http://www.exploit-db.com/papers/26620/

    Local Storage Internet

    Sniff Traffic

    Mobile Application PenTest (Fast-track)Prathan PhongthiproekPast few yearsNowNowSlide Number 5Three Attack SurfacesThree Attack SurfacesClient Software on Mobile DeviceClient Software on Mobile DeviceCommunications ChannelCommunications ChannelServer-Side InfrastructureServer-Side InfrastructureSlide Number 14Client Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceCommunication ChannelCommunication ChannelServer Side InfrastructureCase Study: iOS App PentestCase Study: iOS App PentestCase Study: iOS App PentestCase Study: iOS App PentestCase Study: iOS App PentestCase Study: iOS App PentestSlide Number 35Client Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceClient Software on Mobile DeviceCommunication ChannelCommunication ChannelCommunication ChannelServer Side InfrastructureCase Study: Android App PentestCase Study: Android App PentestCase Study: Android App PentestCase Study: Android App PentestCase Study: Android App PentestCase Study: Android App PentestCase Study: Android App PentestMobile Application Hacking Diary EP.1